Secret Double Octopus and Ponemon Institute announced the results of a US-based study focused on understanding the state of workforce passwordless authentication, from motivational drivers to results after transitioning to its use.
Results demonstrated that remote work has and will continue driving adoption of workforce passwordless authentication. In addition, using survey responses the cost of economic efficiencies from the use of passwordless technologies was calculated and suggests cost savings of $1.9M over conventional password-based MFA.
“Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies,” said Dr Larry Ponemon. “Going forward organizations are extremely bullish on adopting passwordless authentication.”
Key survey findings also revealed:
- 63% of respondents see phishing as the number one password-based attack, more than ransomware, credential stuffing or brute force attacks.
- Only 11% of respondents are using passwordless for most or all use cases where users don’t know or manage their account password, indicating much room for growth in adoption.
- 61% of respondents feel the remote workforce significantly influences or influences their adoption of passwordless.
- 75% also indicate that employee downtime during remote work has been a motivator for this adoption.
- Organizations with passwordless authentication have significantly lower help desk calls pertaining to passwords (7% of all help desk issues vs 43% without). The 43% figure is inline with prior industry figures suggesting that between 30 to 50% of help desk calls can be due to password-related resets and other issues.
Remote workforce reportedly felt increased security risk despite broad use of MFA
The study highlights that most organizations are using MFA in some way, with 60% reporting some use, but key areas such as servers, VPN, legacy software, mobile applications and virtualization all have MFA in use at less than 40% of respondents’ environments.
The study highlights that organizations feel that the impact of remote work is reducing security posture. Cloud infrastructure and services are deemed the highest area of risk with 60% of organizations feeling remote work makes for less secure cloud infrastructure despite being the resource they are most protecting with MFA (53% of organizations indicated MFA use for cloud services).
Traditional password authentication significantly more expensive
To estimate the total amount of economic loss from traditional password-based authentication versus passwordless, organizations were asked to detail the costs attributed to a range of costs, including direct IT costs, downtime, lost business, damaged reputation and paid ransomware.
Over the 2-year period,
- Passwordless authentication saves an average of $534K over conventional authentication in help desk costs, with organizations spending an average of roughly $1.5M over a two-year period.
- Passwordless authentication saves the average organization $1.4M in costs over conventional password-based authentication.
“Many organizations may feel they are doing the most expedient thing for securing their organizations by rolling out more conventional MFA,” said Horacio Zambrano, CMO of Secret Double Octopus. “But the data clearly show there is an enormous amount of lost productivity per employee and financial risk by not removing the link between the password and the employee.”
Recommendations for the enterprise
To reach the goals of better security and increased productivity, organizations must:
- Eliminate misconceptions around passwordless and better understand the cost and security implications of the technology. Roughly 40% of respondents who have not adopted passwordless felt passwordless was not as secure as other two-factor authentication or traditional MFA methods. Passwordless generally involves the use of biometrics for authentication that is generally regarded as a way to elevate trust and assure identity.
- Deploy desktop MFA. Insecure connections to the network domain figures as the 2nd most concerning risk area due to remote work, signaling the importance of eliminating the password for the desktop given it usually replicates the network domain password.
- Look for vendors with broad coverage of use cases across the enterprise where a user no longer must remember a password. Lack of support can be an inhibitor to adoptions with 56% of respondents indicating that they would not move to passwordless due to the lack of legacy systems and application support.